"Secure Boot": Who will control your next computer?

FSFE's goal is to ensure that the owners of IT devices are always in full
and sole control of them. This fundamental principle
is recently being challenged.

With a function called "Secure Boot", which will be deployed in computers
starting 2012, manufacturers of IT hardware and software components are
striving to get into a position where they permanently control the IT devices
they produce. Hence such devices will be "secure" from the manufacturer's
perspective, but not necessarily from the owner's point of view: The owner can
be treated as an adversary. By preventing uses of the device which the
manufacturer does not intend, they can control and limit what a general purpose
IT machine (e.g. a PC, laptop, netbook) may be used for. In case of IT devices
with internet access, they can alter these usage restrictions at any time
without even informing the device owner. As a result, IT manufacturers at their
will can take away common rights owners of products usually receive.

"Secure Boot": Gatekeeper before the operating system

When powered on, IT devices execute a startup process called booting. In
case of computers this startup process is comprised of executing firmware. This
firmware, in turn, starts another program called a boot loader, which then
launches the actual operating system, on top of which applications can be
executed. In 2012 the industry-wide transition of PCs, notebooks, servers, and
other computers' firmware from conventional BIOS to UEFI will be mostly
complete. Compared to conventional BIOS, UEFI has several advantages, such as
faster boot time, operating system independent drivers, and the promise of
extended security.

The security aspect is handled by a function called "Secure Boot". Since
UEFI 2.3.1 (released April 8, 2011) "Secure Boot" ensures that during the boot
process only software will execute, which complies with one of predeployed
cryptographic signatures. This is done to prevent unwanted software from being
executed during the startup of the computer, by cryptographically verifying a
signature of each software component (various stages of the UEFI firmware, the
boot loader, the operating system kernel, etc.) before starting it. Therefore
the cryptographic signatures to be utilised have to be deployed in the UEFI
signature database of each IT device equipped with UEFI "Secure Boot",
before a cryptographically signed software component can be
started on that specific machine.

FSFE expects that the vast majority of the computer manufacturers will
implement "Secure Boot", as Microsoft has
announced that computer manufacturers must implement UEFI "Secure Boot",
if they want to acquire a Windows 8 certification for devices they build, e.g.
for putting the "Compatible with Windows 8" logo on them.

The computer: a general purpose machine

Evolving the computer as a general purpose machine over the past decades,
our society has created a powerful tool to perform all kinds of tasks with a
single machine. Now IT manufacturers have discovered that they may have an
economic interest to arbitrarily limit what these machines can achieve. With
"Secure Boot" the owners of IT devices will not be able to independently
determine the usage of their machines, as they cannot decide which software to
run.

The entity who eventually controls which software can be executed on a
device and thus determines the specific functions the device performs,
ultimately can control any data processed and stored by the device. In result,
the owner of an IT device may not be in sole control of their own data any
more.

For which devices does this apply?

Currently many people base their analysis of the UEFI situation on the
"Windows 8 Hardware Certification Requirements", published by Microsoft in
December 2011. It is understood that Microsoft did not and still does not have
to make any versions of these hardware-certification requirements public, as
they are the base of an individual contract between Microsoft and each hardware
manufacturer seeking to obtain Microsoft's Windows 8 Certification for their
computer-products. Hence the "Windows 8 Hardware Certification Requirements"
can change anytime without public notice, or specific details of the
logo-requirements may differ between manufacturers: Everything happens at
Microsoft's will and mostly behind closed doors. Thus nobody can rely on the
published version of the "Windows 8 Hardware Certification Requirements" being
static, but realise the details devised for "Secure Boot" as a "moving
target".

So the problem of "Secure Boot" is not necessarily limited to "Connected
Stand-By Systems" (probably a large share of the future market of notebooks,
netbooks and PCs) and computers based on ARM microprocessors (mainly tablets
and mobile phones), but can be expanded to any other type of devices by
Microsoft anytime. Equally, hardware manufacturers not producing Windows 8
devices may deploy UEFI "Secure Boot" or other boot processes restricted by the
help of cryptographic signatures. TiVo has been doing this for a decade, and
various gaming consoles from Sony to Microsoft are using cryptographically
restricted boot processes as well. Other device manufacturers may employ
specifications or requirements similar to the "Windows 8 Hardware Certification
Requirements", in order to artificially restrict the capabilities of IT
devices.

Restricitons to be extended to applications?

While the UEFI "Secure Boot" specification (as well as the specifications of
the Trusted Computing Group defining "Trusted Boot") covers the primary boot
process up to the operating system's kernel, the infrastructure to extend
signature-checking to all software running on a computer is mature and working
in various operating systems. But beside Windows 8 it is currently only
enforced for Windows device drivers.

Threat to general purpose computing

If all these measures would be solely under control of device owners, these
could be in their best interest, helping them to enhance security of the boot
process, which today is mostly unsecured. This would be the case
if the security subsystems specified by the UEFI forum and the
Trusted Computing Group (TCG) would technically guarantee the owner's
permanent, full and sole control over configuration and management of these
security subsystems, which includes the creation, storage, use and deletion of
cryptographic keys, certificates and signatures. But as soon as other entities
beside the device owner can utilise these security subsystems, this enables
them to preclude unintended or simply unforeseen usages of these IT
devices.

Hence, with the implementation of "Secure Boot", the availability of true
general purpose computers under full owner control may be greatly reduced.
Devices significantly restricted by measures as "Secure Boot" under company
control are usually called appliances or special purpose computers (e.g. media
centres, telephones, book readers). Thus at least some Windows 8 devices will
rather constitute a Windows appliance than a customary computer. While there
may be a market for such computing appliances, the FSFE strongly calls for
clearly labelling such IT devices as restricted to use models foreseen by a
company, in order to duly inform a potential buyer.

Is circumventing these restrictions an option?

IT savvy people may think that they have seen such measures before, and most
of them were cracked. This was the case in various models of the PlayStation
and Xbox gaming consoles, as well as many newer mobile phones. But the quality
and breadth is wider this time:

Its design and specification are result of a collective effort of IT
engineers from various companies. It draws on a decade of experience with
signature based boot processes and hence avoids many classical pitfalls, e.g.
the lack of a properly specified and cryptographically secured firmware
(UEFI) update process.

It utilises hardware based security subsystems, e.g. as specified by the
TCG (TPM or MTM, and accompanying specifications): While the UEFI
specification does not mandate a specific implementation of "protected
storage" for cryptographic keys, certificates and signatures, the recent TCG
specifications (since 2011) fit well.

Security flaws in "Secure Boot" implementations are expected (as in all
software), but as there will be commercial competition between UEFI vendors,
it is in their best interest to resolve these security flaws. In contrast, in
the past only individual manufacturers implemented cryptographically
restricted boot processes for their own, specific devices: TiVo Inc. for
their TIVOs, Microsoft for various generations of their Xbox, as well as Sony
for their Playstations.

Furthermore, even though many of similar usage restrictions have been cracked
in the past, this only shows that their technical implementations were flawed
and open to malware, hence not providing the "security" they were designed for.
Although this is likely to apply to some "Secure Boot" implementations as well,
breaking such mechanisms can never be a solution for freedom issues or the lack
of controllability by the device owner.

FSFE's demands

For maintaining sustained growth in the development and use of software, the
broad availability of general purpose computers is crucial.

FSFE demands that before purchasing a device, buyers must be informed
concisely about the technical measures implemented in this device, as well as
the specific usage restrictions and their consequences for the owner.

Furthermore, FSFE strongly recommends to exclusively purchase IT devices
which grant their owners full, sole and permanent control over security
subsystems (e. g. signature-based usage restrictions), in order to maintain the
ability to install arbitrary software and lastly to retain exclusive control
over ones own data.

Our Work

As a non-profit, non-governmental organisation, Free Software Foundation
Europe works to create general understanding and support for Free Software
and Open Standards in politics, business, law and society at large.